Is This the Death of Passwords?

Is it possible that your next password might be as simple and subtle as the way you type or hold your smartphone? If you hate trying to fill out those CAPTCHA forms with impossible-to-decipher characters, a new strategy for telling the difference between people and computers might give you some hope.

Secrets are used to keep our stuff safe on computers; for nearly three decades now, that secret has chiefly been a password, or in security lingo, “something you know.” Advanced security systems can deploy an added layer, such as a token (or at banks, a debit card), which is “something you have.” And really high-tech systems involve biometrics, such as a retina or fingerprint scan, known as “something you are.”

So far, none of these techniques has proven robust enough to stop hackers’ endless efforts to steal critical information, whether it’s millions of Target credit card numbers or access to computers that control national infrastructure. Passwords are notoriously unreliable – too hard for users to remember and too easy for determined criminals to guess. Tokens get lost. Fingerprints can be replicated.

In other words, to cyberthieves, credit card numbers and other personal information is still “something you steal.”

A key that can’t be hacked?

The continued race to stop high-tech crooks has led researchers to try yet another security frontier – and this time, they hope to be creating something that is so unique that it cannot be copied, yet is so easy to use that it doesn’t have to be remembered. They are trying a strategy known as “something you do.”

All computer users type at a unique speed, creating a pattern that is perhaps more personal than the way they sign their name. Smartphone users tilt their phones when they type, or scroll, or watch, in very personal patterns. It’s now possible to measure these things people do, turn the patterns into an algorithm, and create an authenticator that users simply can’t forget. It’s also so unique, researchers hope, that criminals won’t be able to impersonate it.

“The information is so specific to you it can’t be hacked.”

William Scheckel is chief marketing officer at one of the companies trying to solve this riddle: Oxford BioChronometrics, which spun out of the ISIS Software Incubator set up by Oxford University. He says the method has real promise.

"Phone manufacturers can identify you based on information from the gyroscopic device in your handset," Scheckel said. "Say your bank uses this technology and you hand your phone to another person. Using this method, the bank would shut the (transaction) down."

Oxford BioChronometrics puts together a number of these “something you do” patterns into a mathematical formula it calls electronically Defined Natural Attributes, or e-DNA. Scheckel says that using the set of highly personal characteristics creates an authentication tool that’s hard to defeat.

“The information is so specific to you it can’t be hacked,” he said.

That’s a bold claim, sure to be tested. Many “unhackable” login strategies have been foiled by criminals. One potential method: a “man-in-the-middle” attack which essentially enables a criminal to trick a user into logging in, then lets the hacker joy-ride into the now-authenticated account to steal money or commit other forms of ID theft.

All computer users type at a unique speed, creating a pattern that is perhaps more personal than the way they sign their name.

But it’s pretty clear that passwords are passé. Several high-profile hacks in recent years — including companies such as LinkedIn — have seen millions of users’ passwords exposed. Researchers have used those hacks to prove that passwords are terribly insecure anyway, with a high percentage of users opting for obvious “secret” words like “password” or “123456.”

“Simple passwords are too easily hacked and there’s too much incentive for hackers to try. Identity theft is a growing problem because it’s profitable and simple passwords make it easy as well,” Scheckel said.

He wouldn’t disclose clients the Oxford-born company is working with, though he said it was working on a “proof of concept” test with a “major household name.”

But he would talk about the interesting side benefit of Oxford BioChronometrics’ product: It is particularly good at discriminating between real people and “bots” that try to automatically log in to websites around the Web and wreak havoc -- bots which have typing patterns that are obviously computer-generated. Right now, most websites use CAPTCHA forms to root out annoying bots, but they mostly annoy real people. So in May, Oxford BioChronometrics began offering a free plugin called NoMoreCAPTCHAS to WordPress users that Scheckel says eliminates the need for CAPTCHA tests. A brand-name travel company that struggles with bots scraping its site for data is right now testing the system, he said.

Forget worries about credit card hacks: If the firm can reduce the number of times users must guess what those squiggly characters are, the entire Internet will cheer.